Challenge: Further Work in Progress
web page is an attempt to make some order in the Chaocipher
cryptanalytic work found in
the open literature. In addition, I want to present my own
findings discovered while working on this
fascinating problem. It is my hope that the
information here will help
someone solve this long overdue challenge.
own interest in John F. Byrne’s Chaocipher dates back to the
seventies when I first read about Byrne’s Chaocipher in David
Kahn’s monumental “The
CodeBreakers”. A search
in the Hebrew University’s National Library in Jerusalem
uncovered Albert Einstein’s personal copy of
Years”, sent to him by John F. Byrne himself (link).
cryptology and cryptanalysis at the time, I attempted to make headway
with the plain- and ciphertexts in chapter 21. Failing to do
put the problem aside.
Over the years I returned to
the problem, waiting for a convenient time to “jump
in”. In August 2008 I decided that that time had
come. Collecting all the material I could find, together with
correspondences with several people, I began my own analyses.
Thought Before StartingBy and large, John F.
Byrne's Chaocipher challenge has been curiously ignored by the
cryptanalytic community. It would be expected that a system
that caught the attention of knowledgeable cryptologists like Colonel
Parker Hitt, William F. Friedman, Major Frank Moorman, Bell Labs, and
various representatives of the State, War, and Navy departments would
catch the fancy of amateur cryptanalysts.
One of the
reasons given for not tackling Chaocipher is that, by not revealing the
underlying system, Byrne violated the fundamental assumption
of military cryptography: that the enemy knows the general system.
Continuing this reasoning, it is a waste of time to work on a
system which, if revealed, would probably be easy to solve.
understand this sentiment, but have several comments to make:
Byrne should have divulged his underlying system, the challenge is a
fine one, well worth the effort to "prove one's mettle".
of the professionals mentioned above are quoted by Byrne as being
highly favorable of his system. It would probably not be
trivial to solve even if the underlying system were known.
are very few opportunities available today to duplicate the incredible
US effort of breaking the Japanese Purple cipher with no a priori
knowledge. Are we up to a similar challenge?
Years: Chapter 21Chapter
21 in Byrnes’s “Silent Years”  is the starting
point for working on the Chaocipher challenge. It describes
history of Chaocipher, the people Byrne showed it to and, most
importantly, the challenge plain- and ciphertexts. I have
uploaded a photocopy of the chapter to the Web (link).
addition, I’ve uploaded carefully edited text versions of all
place to start is Greg Mellen’s most excellent article in
Cryptologia (Volume 3 Number 3, July 1979, pp. 136-154) entitled
“J. F. Byrne
and the Chaocipher: Work in Progress”
. In it,
Mellen presented his partial findings after working
on the cipher. The article is thorough, giving
thoughts, ideas, and comments about the Chaocipher. By the
the article he presents what he believes in the most probable direction
for solving the cipher.
I highly recommend getting a
copy of the
article. It can be ordered over the Web. In the upcoming
sections I will attempt to summarize and relate to the most important
results of his research.
Chaocipher’s method is disclosed to Cryptologia EditorsIn
1990, John Byrne, son of John F. Byrne, demonstrated Chaocipher to two
Cryptologia editors (Lou Kruh and Cipher A. Deavours).
bound by a non-disclosure agreement, the two wrote an article in
Cryptologia entitled “Chaocipher
Enters the Computer Age When its
Method is Disclosed to Cryptologia Editors” .
Deavours hint at the possible direction and present three more
ciphertexts for would-be solvers.
then, is what we have to work with:
chapter 21 complete with the original Chaocipher challenge
files of all plaintext and ciphertext exhibits).
Mellen’s article summarizing his own research 
and Deavours’s article presenting tantalizing hints about the
Chaocipher’s method 
Mellen’s ResultsIn  Deavours and
the years many hypotheses about the cipher been suggested and most of
them were demolished in Mellen’s article, e.g., it is a crude
rotor system, contains an element of transposition, autokey cipher,
Vernam tape system, and a form of polyalphabetic cipher with a random
We can take
Deavour’s and Kruh’s word that the Chaocipher is
none of these.
My own isomorph search found the
following isomorphs in exhibit 1. None of the isomorphic
pairs have the same underlying plaintext so they are non-causal:
rules out any
cipher system that produces isomorphs such as autokeys, progressive
polyalphabetics, multiplex (e.g., strip cipher/M-94), the Wheatstone
cryptograph, the Kryha, and classic rotor systems (e.g., Hebern,
In the same article Deavours and Kruh add:
overlooked, possibly valuable clue is in The Editor’s
the American Cryptogram Association 1952-1956 [ed. kept by Henry E.
]. … According to Langen, “He
did explain that the machine is made up somewhat like a typewriter with
two revolving disks with the alphabets arranged along the periphery in
a complete disorder.” Langen commented
that “With only two disks used, I am a bit confused as to how
this can result in such utter chaotification of the plaintext
This hints at a form
of concentric disks with
mixed plain and cipher alphabets. At this point I’d
mention John Savard’s excellent cryptographic web site
particular, you should read his page entitled
Substitution”. John describes his
attempt to devise a cipher disk that approaches the power of a rotor
machine. After describing his scheme he writes:
Chaocipher, which was mentioned in David Kahn’s The
was subsequently the subject of a Cryptologia article, which indicated
that the principle of this wheel may have been used before in that
In the light of
Deavour’s and Kruh’s quote
from Langen’s diary, a study of Savard’s cipher
may be beneficial to anyone working on the Chaocipher.
Observation re pt/ct identitiesMellen’s
initial insight was that, in exhibits 1, 2, and 3, doubled plain
characters are never enciphered by double cipher characters.
example, looking at the first ten lines of Exhibit 1:
Line 1: C LY
Line 2: L TV
Line 3: T BZ
Line 4: H KY
Line 5: R IF
Line 6: J EO
Line 7: W EF
Line 8: B UZ
Line 9: R UT
Line10: U KQ
the mini-example here, enciphering of plaintext
results in doubled ciphertext letters (e.g.,
This phenomenon is (almost) true for all Chaocipher exhibits.
He deduced from this that:
He felt he was making
until he noticed the following in Exhibit 3, Message 5:
necessarily and causally changes from letter to letter.
cipher component moved at some point, enciphering the same plaintext
letter would result in a second, identical ciphertext letter.
is but one component and not a plurality of different, mixed,
cipher components. A plurality of cipher
virtually impossible to avoid a plaintext double being enciphered as a
pt: O R D E R S W R I T T E NAlthough
this could have been explained away as an enciphering error, Mellen
wanted to avoid such an assumption at this point. He noticed
Exhibit 3 is presented in lines of 26 letters. If the
algorithm worked on blocks of 26 letters, the two T’s would
separate blocks. This could explain the doubled pt = doubled
observed. The question was now whether the Chaocipher indeed
worked on blocks of 26 letters.
ct: O Y F C P R V J B Y Y G F
Mellen began writing
out in blocks of 26. He knew he would not encounter doubled
characters as doubled cipher characters. He did, however,
his search to see if a plain letter which was repeated in the 26-letter
line was represented twice within that line by the same cipher letter
(coined by Mellen as a “pt/ct identity”).
found negative results. For example, lines 9-10 show:
pt: W A L L G O O D Q Q U I C K B R O W N F O X E S J U
ct: W U K Q A S X K G S P W H R Y M T Q S O Q B A M A P
pt: M P O V E R L A Z Y D O G T O S A V E T H E I R P AThe
number of such instances in Exhibits 1 and 2 is so large as to preclude
their being errors. He did, however, notice that the pt/ct
identities always occurred in different halves of the 26-letter
blocks. Mellen revised his 26-letter hypothesis to 13-letter
lines, writing the exhibits out in 13-letter blocks.
ct: F Q R L I I U G T I V B E B Y X F B I U S E Y H M L
Exhibits 1, 2, and 3 there are a total of 1192 13-letter blocks for
which there is
plaintext. Mellen found only two blocks that have pt/ct
Line 114: pt: P U R S U I T O F H A P P
ct: J X M L S Q T V Z B Y J O
Line 176: pt: S T E M O F E N G L I S HFor
the record, Mellen missed six
other cases of pt/ct identities:
ct: O U Q F O Y U T E V V O D
Line 142: pt: U L D R E L I N Q U I S H
ct: B F B W Y Z L O Y B S S T
Line 151: pt: P O W E R S Q I N C A P A
ct: X Q Q R E X S U Z O X X U
Line 156: pt: N G T H E L A W S F O R N
ct: D S G D Z X O R W J J V D
Line 162: pt: D E O F N E W O F F I C E
ct: I I X J B C H V M Z C T I
Line 206: pt: I C E A N D M A G N A N I
ct: R I G A V V X I G Y K F R
Line 215: pt: O F O U R I N T E N T I ORegardless
of the actual number of pt/ct identities, Mellen correctly surmised
that, given 1192 13-letter blocks, we would statistically expect about
45 blocks with pt/ct
identities. The fact that only eight were
ct: H H C Y W F P Y M E R D C
At the close of his
presents a cipher system of his own. The system, based on
enciphering blocks of 13 letters, prevents pt/ct identities from
occurring within a given block. He concedes that his system
excludes phenomena that occur in the Chaocipher texts. He
concludes by saying:
I feel that I am
the right direction. I am currently looking at variations of the system
described and I am beginning to see, or beginning to imagine, other
phenomena in the ciphertext. These await further testing.
Mellen’s ResearchThis is the jumping-off point for
anyone analyzing the Chaocipher challenge.
observation about pt/ct identities is a critical one. There is no
doubt that it strongly indicates that the Chaocipher ciphertext is not
as random as Byrne believed it was. I
backtracked on assuming that the system is based on a block size and
wrote a program to collate all pt/ct identities in Exhibit 1,
regardless of where they occurred. In parallel
I ran the
same test, this time substituting Exhibit 1’s
ciphertext for a random text of
13,336 characters. The results were eye-opening:
between pt/ct identities||Number
of cases observed|
|. . .||. . .||. . .|
other words, scanning the 13,336 pt/ct characters of Exhibit 1 produced
no pt/ct identities with a distance of less than nine (9).
Byrne’s claim, the ciphertext is not a “jargon of
characters”. The fact that pt/ct identities are
than nine characters apart is a critical insight into the underlying
What system suppresses pt/ct
identities with a distance less than 9?I’ve
racked my brains to define a cipher system that never produce pt/ct
identities with a distance less than nine. The following
foots the bill nicely:
is obvious that a doubled plain letter will never be enciphered as a
doubled cipher letter. This is because the disks will have
shifted between 1 and 3 positions after the first plain letter is
- Two concentric
of 26 letters apiece representing the plain and cipher alphabets (e.g.,
a cipher disk).
- Two sliding strips are
- The disks are
aligned before enciphering
plaintext letter is enciphered by noting the ciphertext letter on the
- After enciphering
a single plaintext letter the plaintext disk is advanced 1, 2, or 3
- Any method can be used to
determine how much to advance the disk.
example, if the plaintext (or ciphertext) letter is in the range of:
advance one position
advance two positions
advance three positions
the encipherment step
In order for a pt/ct identity to occur,
must make a complete revolution relative to each other. The
fastest this can happen is if, over nine consecutive letters, the disk
advances three positions exactly eight times, and advances two
positions exactly once. In this case the disk will have
(8x3 + 1x2) = 26 positions, and the disks will be
similarly aligned, enabling a possible pt/ct identity.
is obvious that a pt/ct identity will never occur before a minimum of
ten letters, i.e., a distance of nine places.
a program to simulate this simple system exhibited the expected
results. Running it on the plaintext of Exhibit 1 gave the
|Distance between pt/ct
of cases observed|
|. . .||. . .||. . .||. . .|
haven’t investigated why this simple system results in zero
identities for distances of 17-20. The next distance not
encountered is 464, so we can assume that pt/ct identities occur for
all distances greater than 20.
It is important to note
the principle of this cipher -- the only disk advancements allowed are
1, 2, or 3:
advance of zero could produce a doubled plain letter as a doubled
- A negative advance (e.g., move the
disk in the opposite direction)
could also produce a pt/ct identity with a distance less than
nine. This would happen if the disk advanced by +1 for the
letter, then advanced by –1 for the second letter to return
the same alignment. If the third plaintext letter were the
as the first we would get a pt/ct identity.
2 and 3 don’t follow Exhibit 1’s leadWhen
I collated pt/ct identities in Exhibits 2 and 3 there were distances
less than 9:
between pt/ct identities||Number
of cases observed|
|Exhibit 2||Exhibit 3|
|. . .||. . .||. . .|
the moment I’m at a loss to explain how Exhibit 1, with
pt/ct characters, shows no pt/ct identities in under a distance of 9,
while Exhibits 2 and 3 show such distances with only 1,263 and 910
characters, respectively. Keeping in mind Mellen’s
that the doubled plain/cipher in Exhibit 3 may have been an enciphering
error, these six may just be so – enciphering errors.
now I’m focusing solely on Exhibit 1. Regardless of the
underlying system, it will have to explain why Exhibit 1 has the
phenomena we observed.
about the proposed systemThe
system as proposed above is a polyalphabetic whose disks advance 1, 2,
or 3 positions each letter. If the shifting sequence is
on the plain- or ciphertext we will have a quasi-random keying
sequence. Unlike a plain or cipher autokey cipher, the
system would be prone to repetitions and isomorphs, albeit possibly
fewer. Indeed, in my simulation, every second
good …” phrase was enciphered identically,
identical ciphertext. This is because the keying sequence is
regular, being based on the plain or cipher letters (autokey style).
enciphering Exhibit 1 using the proposed system produced massive
repetitions due to the “All good …”
The original Chaocipher texts have no repetitions, so the proposed
system is missing something.
another problem with
the proposed system. Given large plaintext and ciphertext
we could figure out the plain and cipher alphabets on the two disks:
above does not work out correctly. Following is a portion of
output of a program I wrote to list all doubled plaintext letters and
their corresponding ciphertext letters.
every doubled plain letter, the corresponding cipher letters c1
c2 are either 1, 2,
or 3 positions apart from each other in the cipher alphabet.
the given first letter c1,
there should never have more than three alternatives for c2.
the ciphertext letters corresponding to all doubled
plaintext letters should give us the cipher sequence.
we can derive the plain alphabet’s sequence
the plaintext and ciphertext sequences should allow a solution
using an “alphabet strip” method (often used by
Friedman to solve slide-based polyalphabetic systems).
|. . .||. . .|
ciphertext pairs in the right-hand column are sorted
You can see that for the ciphertext
“A?”, the ‘?’ can be one of 14
letters (i.e., “BCGHIJLOQRUVWZ”), not three as
expected. This apparently disqualifies the cipher system
Summarizing the findingsLet me
briefly summarize where I stand at the moment and state the challenge
as I see it.
- We discussed the concept of
identities, i.e., two identical pt/ct pairs occuring at a certain
- We showed that Exhibit 1 displays the
definitely non-random trait of no
pt/ct identities less than nine (9) positions apart. In other
words, no block of nine pt/ct pairs displays a pt/ct identity.
only cipher system I can think of that guarantees no pt/ct
identities within any nine sequential positions is two sliding
alphabets that shift either one, two, or three positions every time a
letter is enciphered.
- Collating all ct pairs (c1-c2)
corresponding to doubled plaintext letters (p-p) shows more than three
values of c2 for any
single value of c1.
system were item (3) above there would be only three different values
of c2 for any single
value of c1.
(3) and (4) are
Reiterating the challengeSo
the challenge is: can you postulate a cipher system that guarantees
item (2) above and explains item (4) at the same time?
References Byrne, John F.
1953. Silent Years. New York: Farrar, Straus
Mellen, Greg. 1979. J. F. Byrne and the Chaocipher,
Work in Progress. Cryptologia, 3(3): 136-154.
John Byrne, Cipher A. Deavours and Louis Kruh. Chaocipher
the computer age when its method is disclosed to Cryptologia
editors. Cryptologia, 14(3): 193-197.
Savard’s excellent cryptographic site can be found at
. I refer the reader to the page entitled “Polyalphabetic
(c) 2009 Moshe Rubin
Created: 19 February 2009
Last updated: 19 November 2009